DosDetection
BitNinja has a built-in module for monitoring current active connections and interfering in case of a potential denial of service attack. If there are more than 80 connections from a single IP, BitNinja detects it as an attack. The 80 threshold can be configured on a per port basis.
Configuration
The thresholds can be changed in the config file: /etc/bitninja/DosDetection/config.ini
.
;
; Thresholds set to DoS Detection
;
[tresholds]
general = 80
; Threshold for remote SMTP servers.
remote[25] = 200
remote[53] = 200
; Threshold for local ports
local[22] = 40
;You can set restrictions for remote and local ports. For example to change
;the number of connections allowed to the default IMAP4 port (143) you can do this:
local[143] = 150
When BitNinja detects a DoS attack, it will block the IP for 1 minute and
then place it to the challenge list allowing the user to delist his/her IP. To change
the default threshold, you can modify /etc/bitninja/IpFilter/config.ini
or add
this section with the proper value:
[times]
;
; Temporary block list time in DoS suspicious requests; default: 60
;
tmp_bl_sec = 60
You can read more about the challenge list on the Capthcha HTTP
page.
Don't forget to restart BitNinja after creating the custom restrictions.
service bitninja restart